This Week In 'The NSA Knows F**king Everything': How It Hacked Most Hard Drives And SIM Cards

from the call-it-a-twofer... dept

Thought that the revelations of NSA/GCHQ spying were dying out? Having some "surveillance fatigue" from all the stories that have been coming out? Have no fear -- or, rather, be very very very fearful -- because two big new revelations this week show just how far the NSA will go to make sure it collects everything. First up: your hard drives. Earlier this week, Kaspersky Lab revealed that the NSA (likely) has figured out ways to hide its own spyware deep in pretty much any hard drive made by the most popular hard drive manufacturers: Western Digital, Seagate and Toshiba.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

As the report notes, it appears that this is a kind of "sleeper" software, that is buried inside tons of hard drives, but only "turned on" when necessary. The report notes that it's unclear as to how the NSA was getting this software in there, but that it couldn't do it without knowing the source code of the hard drive firmware -- information that is not easily accessible. A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It's possible they're lying/misleading -- but it's also possible that the NSA figured out other ways to get that information.

And that brings us to door number two: your mobile phone's SIM card. Today, the Intercept revealed (via the Ed Snowden documents) how the NSA and GCHQ were basically able to hack into the world's largest manufacturer of mobile phone SIM cards in order to swipe encryption keys, so that your friendly neighborhood intelligence snooper can snoop on you too:

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

The details of just how the NSA hacked into Gemalto are quite a story -- and proves what a load of crap it is when the NSA and its defenders insist that they only target bad people. As former NSA (and CIA) boss Michael Hayden recently admitted, they actually like to spy on "interesting people." And who could be more interesting than the people who have access to the encryption keys on billions of mobile phones?

So, yeah, the NSA and GCHQ basically spied on IT folks at the company until they found a way in. So, the NSA spies on "bad guys" and "IT people" for the good guys. Because, I'm sure they'll claim, it helps them get the bad guys. We've seen this before, when the GCHQ hacked into Belgian telco giant Belgacom, allowing them to tap into communications at the EU Parliament. Hacking into various companies appears to be standard operating procedures for the NSA/GCHQ these days, with no thought to the collateral damage being caused.

And, yes, both of these hacks basically involve giving the NSA an astounding amount of access to our electronic devices:

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”

[....]

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”

Between both of these big stories this week, it's clear that the NSA is basically deeply buried in pretty much every bit of electronic equipment these days, with the tools ready to go to spy on just about anything. The idea that this power isn't being abused regularly is pretty laughable.

Re: Re:

1) They have built such huge haystacks that they have to identify targets by others means, which works for interesting targets like Gemalto, but not terrorists.2) High level terrorist leaders avoid electronic communications, but use secure communications means like trusted couriers.3) Protesters, and political organizers and parties that are outside of the main stream of politics pose a greater threat to the establishment that the terrorists, and are the real targets of all this surveillance.

Re: Re: Re: Re: Re: Re:

This guy is probably one of them. They actually have disinfo guys stalk people around the internet to convince people directed energy weapons don't exist so their terror op will get through. 20 years ago these terrorism/intelligence practices were considered covert. Now a bored teenager can find the original research papers for some of the technology hosted on a .mil webpage in an afternoon of googleing.

Directed Energy Weapons

What do you think that "Pulse" weapon is cops use from helicopters to disable cars?

Five minutes on Google will give you hundreds of hits on building a damned powerful maser from an old microwave oven. Of course, about half of the plans have no shielding or collimator, so you'll fry yourself if you ever turn one on.

Re: Directed Energy Weapons

Some idiot has finally hooked an antenna up to the steering and acceleration/braking controls in some models. There should be a new rule. If you don't want it hooked up to the internet, don't put an antenna on it.

Re:

I bet that is exactly why the FBI doesn't want to reveal how the stingrays work. If people realize that the FBI/NSA/(insert agency here) can capture packets and decrypt them without any notification or trail then I bet most people would be very quick to not communicate vital/private information over a cell phone.

This is why we need to have end to end encryption as a layer on top of the normal encryption that phones already use.

Re:

Shouldn't there be some prosecuter out there working on a CFAA case against them

Almost everyone is focusing on the NSA's ability to "get any data they want", but if the NSA and other TLA's are as deeply embedded into computer networks as they're rumored to be, then they have, or can get, Read-Write access to damn near anything they want. You have to assume they can trivially plant evidence as easily as they can retrieve it.

Unfortunately, If we've crossed the rubicon, you can be certain that any prosecutors, judges, politicians, etc, who might initially push back against the NSA and other assorted three letter agencies might quickly find themselves convinced to look the other way, lest they end up out of a job or in prison.

Re: Re: Re: Re:

Can't wait to see someone try this defense in court and then lose terribly when it doesn't work.

That's exactly what would happen. Although for a politician or investigator, it wouldn't have to get to court - just to the press.

Our societies built-in skepticism and inclination to pre-judge guilt based on the news media is exactly why this would be such a nasty lever, were it to be used - People claim "it wasn't me" so frequently that no one pays attention when that might actually have been the case.

(please note, I'm not saying this has actually happened. I have not idea if it has or not. But assuming the NSA has its fingers into everything as deeply as it's been reported - there's nothing that can really prevent it.)

Hard Drive Firmware

It is certainly feasible that the NSA did not need access to the firmware source code in order to pull off these kind of attacks. Ars Technica has an article explaining. These drives use standard debugging interfaces, and, with a bit of work, anybody with the right skill set can reverse engineer the firmware.

That's not to say that the NSA didn't have access to the firmware source. They certainly could get at it if they wanted. Just that they did not necessarily need the source in order to write this kind of malware.

Re: Hard Drive Firmware

I want to second what Kai said: it's easy. You can easily find YouTube videos discussing how the Chinese clone manufacturers do it against custom hardware, it would be much easier against mass produced parts that have to implement published specs.

Re: Hard Drive Firmware

This is exactly right. I have been hired on multiple occasions by companies who have lost the source code to their firmware. I recover it for them through reverse engineering, sometimes using that exact method.

Re: Re: Hard Drive Firmware

Re: Hard Drive Firmware

Maybe the NSA did not have the source, the first time.

Once in, they could just use the host systems to deploy along with the manufacturer's change control and release, etc. no thats too fancy for them, I think they interrupted the shipments; it wasn't just switches or routers...

Re: Re: Hard Drive Firmware

Remember 3-4 years ago when hard drive prices suddenly went up back to prices from say 2003 ? Well, I certainly do, the guy at the shop I always go to told me "a factory where 90% of hard drives are built was destroyed in a typhoon somewhere in Asia." That could just mean, CSEC (in my case, hi guys!) grabbed a lot of hard drives from the warehouses they are stored in before being sent to retailers. So prices for already shipped hard drives go up for a while, compensates the companies. Seriously I never heard of such a hard-drive-factory-destroying-typhoon. There is about 6 large different companies that make hard drives of the regular SATA kind, why would all of them use the same factory? Never heard of that.

I got a 500gb WD that is still working, although it needs to have its circuit board changed, since about 5 months, didn't get to order one because I'm kinda annoyed that I will have to get the circuit board from anybody like that. (such a thing didn't bother me the other times I changed circuit boards on hard drives, but that was in 2006-2007. Kind of before a lot of things went to shit.

Re: Re: Re: Hard Drive Firmware

Re: Re: Re: Hard Drive Firmware

You might have something. Especially with windows. It seems like windows is frequently saying a hard disk has become unusable, but putting in a linux boot cd shows no problem. This happened tree times in the last 2 years for me. In one case, I just made the machine a linux machine, in the other case, using linux, i was able to get the drive working with windows again. Its one thing for them to put UA code on the device, but buggy code?

Re: Re: Re: Re: Hard Drive Firmware

I don't think you need to go looking for explanations for why Windows sometimes has problems. Occam's Razor would lead one to believe it's just problems with Windows - even if the drive actually is NSA-infected.

Even worse, NSA did nothing to close the security holes it discovered/opened up. If other entities are also injecting covert software on hard drive firmware, or also possess the Gemalto keys, *they* have just as much access to our data. No doubt, it's a national security threat.

If only we had some kind of department or agency in charge of dealing with that sort of thing.

Re: Re: Re:

Something tells me we have'nt even scratched the surface of the abuse their participating in this very minute

And now, those of other nations who were'nt aware the extend of our "beloved" intel agencies......what are they gonna do, ignore it, call for a stop, or force a similar implementation they wouldnt have otherwise, thanks to our "beloved" intel agencies showing them just how far they went..........another bloody war, albeit a digital one, everything is fucking war with them........their gonna keep escalating and escalating, one side then the next, trying to get a one up over another, before you know it, the internet will be the most insecure it has been in its entire fucking lifetime, opposite to the justification that their "protecting" the internet.........f good for nothings, instigators of war.......no, instigators of big guy vs little guy in their struggle for dominance

"but that it couldn't do it without knowing the source code of the hard drive firmware -- information that is not easily accessible. A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It's possible they're lying/misleading "

I read in another article that a company was asked by the government who were gonna implement their ?something?, to hand over readable source code of their propriety software, for security reasons, which i might add the public has as much right to as well, anyway, the company representative suggested that it could be likely that they keep that source code indefinatly, which at minimum says there is no prior agreement to delete the cide once audited

I think its plausible that a government would pull the national security card, and demand the source code, so yeah, in this respects, i do believe they have access to to what is normally closed source material in the public

and i strongly suspect, considering the obvious benefits to entities such as our "beloved" intel agencies, that they have the samething going on with closed source phone modems, a bit of kit that can recieve/send data REMOTELY

Time for an Update...

Looks like it's time for an update on the way that cellular communications are done... In addition to encrypting the wireless signals themselves, it's about time for the cell phone companies add end to end encryption (like TLS) for the voice data as well. This way even if the wireless signal is cracked using the SIM keys, your communications are still secure.

If not, it looks like it is time that people stop using their cell minutes and switch to using VOIP over SSL and just using their data plans...

Re: Time for an Update...

I'd like to know what Gemalto is gonna do about it........knowing that what they've handed out is not secure, will they ignore this in the hopes that to few people find out about to cause any issues, or will they be outraged and say/do ....something to oppose such actions and restore a tinsy winsy little faith

Re:

There's nothing Gemalto _can_ do about it that would be meaningful. The specification was designed more to ensure that unauthorized handsets couldn't use the network than to prevent mass surveillance from an organization with access to all of their keying material.

"Oh, hey, sorry about the compromised crypto keys on that first SIM, here's a free replacement. We know that _these_ crypto keys are secure because, well, Um...."

Re: Re:

I get it, but a public statement would fall under my minimum category, i dont expect a fix, but i at least expect them to say something for the record.......given enough of these, im pretty sure the pressure will start mounting up, for meaningfull change whether internally by governments, or externally by programers consistantly hearing about these statements........maybe enough so, that its going through their minds when their planning their new project from the ground up, who knows, maybe the next evolution of defensive privacy/security is around the corner........

Re: Re:

There's nothing Gemalto _can_ do about it that would be meaningful. The specification was designed more to ensure that unauthorized handsets couldn't use the network than to prevent mass surveillance from an organization with access to all of their keying material.

I don't see any reason why Gemalto should have all the keying material. It should be the carriers that program a key into each one--and ideally, that key would only be used once, to sign a key that the SIM creates on first use. And that new key should be used rarely, to sign ephemeral keys with perfect forward secrecy. (Of course, if the carrier keeps a key to update SIM firmware, that would make a tempting target for the NSA.)

Re: Re: Re:

I don't see any reason why Gemalto should have all the keying material.

This is the same thing RSA Security ran into with their keyfobs. For some reason they shipped them keyed instead of blank. Not only that, the private key was pushed to the fob instead of being generated by it—it's not like RSA haven't heard of public key crypto—and thus the keys were all compromised.

Re: Re: Re:

They have it because the threat model when the spec was developed excluded (accidently or intentionally) "TLA's grabbing all the keys".

The current crypto key generation model saves time and costs associated with key generation at the time of deployment, and frankly, is probably a large part of why deployment is so smooth (I can go to my cell phone carrier today, ask for a SIM card, and get one, pretty much no questions asked).

(and, by the way, anyone know if the SIM's pre-printed ID is also the key? From what I"ve seen, the crypto algorithms are clearly symmetric, there's no reason the SIM ID couldn't be the actual crypto key)

Re:

Yes, there is.

This is about the crypto used in the communications with the cell tower. That crypo's primary purpose is to ensure that no unauthorized phones are using the cell system. It's not really intended to protect your privacy as such.

The breaking of the crypto exposes real vulnerabilities, though, and can make it possible for attackers to gain total access to your phone. If they have that, then they could obtain the private keys to your own crypto. If that happens, all bets are off.

Hard to sound crazy, but. . .

As a linux user i have wondered if they have a hand in systemd, with it's change to binary log's and overall obscuring of the boot process. Red Hat like any other company doesn't want to risk losing profitable government contracts by not helping to stop terrorists.

Re: Hard to sound crazy, but. . .

Linux is not that well protected once the attacker gains physical access to the machine, it was designed to prevent remote attacks.

E.g. you can bypass the authentication and gain root access by modifying the kernel boot parameters in GRUB. Disk encryption helps a lot in this scenario, but since we assume physical access, a key logger or well-placed camera should work fine against password-protected disk encryption...

Hats off to Snowden for risking his life to tell us what he did. He surely has earned his place as the most epic leaker in history. But it's hilarious that despite all its billions of dollars, its massive team of super geniuses, and complete and utter unaccountability for doing damn near anything legal or otherwise, the NSA still let a barely-above-average contractor walk out with millions of pages of its most valuable secrets.

Re:

I think it is inaccurate that Snowden was a "barely-above-average contractor". It sounds like he was very talented and that is how he ended up getting such privileges.

Good news is that post-Snowden they have probably become so paranoid about access as to cripple their operations. It is also likely that they have tightened up vetting on staff to the point where only the most useless authoritarian, aspergers types make it through. This is on top of the major recruitment problems that will already have resulted from widespread public outrage.

Keep it up friends. The alphabet bandit agencies are dangerous, criminal organizations. Keep repeating it. Again and again. Until they are so toxic that no one wants to associate with them.

With these stolen encryption keys, 'intelligence' agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.So basically, I'm now a terrorist even without any evidence against me. Oh well, I might as well go do what I'm accused of since I'm guilty until proven innocent through torture. See me beheading James Clapper in Daesh territory on YouTube next week!

wha?

I'm afraid some of you have the wrong ideas here. They now have an added feature on all electronics, remember the old machine language? You had to program in assembly to get interpreted to proto basic to run the function at machine level, that's where this is. On the chip that activates the machine, it tells the transistors, what to register. So they know what and where, now to get them to do something legal with this information, like legally solve a crime. Think of all the missing people in the world that have some electronic thing with them! All the criminals thought to be evaiding the law, all the though crimes, like a dog barking up a tree, right. Them doing something good? Hah..

Time for a new open source project

One to update hard drive firmware with a known _good_ (a.k.a. non-NSA bugged version).

The second to update the encryption keys in your SIM cards.

Boot from a known _good_ copy of Linux (read-only media), reflash HD firmware as soon as you open the box. Check again every so often to make sure it's still clean.

Installing a new OS used to consist of; -Partition the hard drive -Format the hard drive -Install the OS

Now it needs to be: -Reflash the hard drive firmware -Partition the hard drive -Format the hard drive -Install the OS

Sure TAO can probably find a way to monkey with it again, but then they'll have to _actively_ do something. Surveillance has gone ultra-wide band because it's gotten so easy. When you used to have to break into some one's home or office, plant a bug, monitor that bug, transcribe what you hear, etc. not a lot of people were surveilled. Now you can just use a computer to tap the internet, track everyone by their cell phones, and now break into large numbers of computers using sleeper hard drive firmware from the comfort of their own offices.

We may not ever be able to completely stop the NSA/GCHQ/etc., but we can sure make it as difficult/time consuming/painful as possible.

Then _maybe_ they'll have to be a bit more particular about who they surveil.

Re: Time for a new open source project

An open-source firmware for hard disks may not be as simple as that. I've heard - 2nd hand, but from a source I put a reasonable amount of trust in - that at least one of the vendors listed has set the hard drives up to require signed firmware, or the disk won't accept it. if you can't sign the code with a key the disk will accept, your open source project won't gain traction.

Also: it would short sighted to assume the scope of the actions here is limited to hard drives. Yes, this set of recently released documents is HDD specific. Yes, HDD's make an excellent target for this attack vector, for a variety of reasons, not the least of which is that, being hard disks, storage space presumably isn't an issue and so you presumably wouldn't be so severely constrained on the size of the malware you were shipping. But hard disks aren't the only built-in peripherals that allow for field-upgradeable firmware. Video cards, mother boards, CPU's - almost all of them have some amount of field-writable, onboard storage coupled with the firmware that allows them to operate. In fact, while they'd be harder targets, they might well be more valuable.

After all: You can remove a potentially compromised HDD from a system entirely, and run it off of live media on thumbdrive/cd/dvd/etc. Most people would have a very hard time running that same live media system w/o a video card. Or a motherboard.

Re:

Isn't it illegal even for the government to violate the law? Why isn't this considered a violation of CFAA? Shouldn't the perpetrators be charged accordingly?

Charged by whom? It is illegal, but I don't think citizens have the right to charge the government with a crime in the USA--a prosecutor has to do it, and they're not doing it. (Evidently, in some countries private citizens can file criminal charges.)

Re:

Don't forget that the US is also the land of unfettered Capitalism.

If you can afford it, you too can buy your freedom - from persecution, from surveillance, from incarceration, from law, from taxes, from... whatever the particular level of freedom you can afford offers freedom from.

So the meme "Get rich or die trying." is now more than ever, the true motto of America.